Introduction to SNMP

There are three versions of SNMP: SNMPv1, SNMPv2c, and SNMPv3.

SNMPv1 and SNMPv2c rely on community names for authentication. The NMS uses the community name list to control the access to managed nodes. The agent does not check whether the sender uses an authorized community name. SNMP messages are transmitted without encryption. As a result, SNMPv1 and SNMPv2c cannot secure authentication or privacy.

Compared with SNMPv1, SNMPv2c supports:

• More operations
• More data types
• More error codes
• Multiple transport layer protocols

SNMPv3 provides all functions of SNMPv1 and SNMPv2c and a security mechanism that authenticates and encrypts SNMP packets.

In terms of security, SNMPv3 emphasizes security of data and access control.

SNMPv3 ensures the security for SNMP packets in the following ways:

• Data integrity check

  The data cannot be modified in an unauthorized manner. Changes to packet sequence are limited to an allowed extent.

• Data source verification

  SNMPv3 verifies managed node from which packets are sent. SNMPv performs security check based on managed nodes. It authenticates managed nodes that generate packets but not the applications.

• Data authentication check

  When the NMS or an agent receives a message, it checks the time the message is generated. If the difference between the creation time and the current system time exceeds the specified time range, the message is discarded. This protects data against tempering during transmission and avoids reception or processing of malicious data.

SNMPv3 access control is a means of protocol-based security check. It controls the access to MOs.

Figure 1-2 shows the PDUs (SNMP packets) exchanged between the NMS and an agent.

Figure 1-2 SNMP packets exchange

The SNMP packets are described as follows:

• get-request: The NMS reads one or more parameter values from the agent.
• get-next-request: The NMS reads the next parameter value (the one following the current parameter value) from the agent.
• set-request: The NMS sets one or more parameter values for the agent.
• get-response: The agent returns one or more parameter values to respond to the preceding three requests.
• trap: This packet is proactively sent by the agent to the NMS to notify the NMS of certain events.

The first three operations are initiated from the NMS to the agent, whereas the last two operations are initiated from the agent to the NMS.

An agent receives requests from the NMS through UDP port 161.

The agent processes a received packet as follows:

1. Decodes the packet. Based on ASN.1 encoding rules, the agent generates a packet that is represented in the internal data structure. The agent discards the packet if the decoding fails due to any errors.
2. Checks the SNMP version. The agent compares the SNMP version in the received packet with the list of supported versions. If the version is not included in the list, the agent discards the packet.
3. Checks the community name. The community name in the packet is inserted by the NMS that sends the packet. If the community name is not the supported by the managed node where the agent resides, the agent discards the packet. A trap packet is returned to the NMS at the same time. SNMPv1 provides weak security measures, which are enhanced in SNMPv3.
4. Obtains the SNMP PDU from the authenticated ASN.1 object. If the operation fails, the agent discards the packet.
5. Handles the PDU. The agent handles the PDU according to its SNMP entity. The agent searches the MIB tree for the node matching the variable to be managed and obtains the variable value from the corresponding module. Then, the agent generates the response packet, encodes the packet, and sends the encoded response to the NMS.
6. The NMS performs similar operations as the agent and displays the final result.

For details about SNMP configuration, see section "CLI-based Configuration > Configuration Guide - Network Management" in the S9300&S9300E User Manual.